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NETWORK POLICY MANAGEMENT AND EFFECTIVENESS SYSTEM 



BACKGROUND 



5 1. Field of the Invention . 

This invention relates in general to networked computing systems, and more 
particularly, to a system for maintaining network security policy compliance. 



2. Description of Related Art 

1 0 The Internet and computer networks allow organizations to store applications 

and information on central servers, waiting to be called up and manipulated from 
any location. Networks allow people greater access to files and other confidential 
information. Global networks, including the Intemet, and remote access increase the 
vulnerability of corporate data, increase the risk of information leaks, unauthorized 

1 5 document access and disclosure of confidential information, fi:Bud, and privacy. 

Employees are the greatest threat to an organization's information security. 
Employees with access to information resources including email, the Intemet, and 
on-line networks significantly increase the security risks. 

Employees are using email for personal purposes creating questions of 

20 appropriate use of company resoua'ces, workplace productivity and appropriateness 
of message content. One of the greatest sources of information leaks is employee 
sent email. With electronic commimication and networks, an electronic paper trail is 
harder to determine, since no record of who accessed, altered, tampered with, 
reviewed, or copied a file can make it very difficult to determine a document's 

25 authenticity, and provide an audit and paper trail. In addition, there is no automated 
system to centrally collect, analyze, measure, index, organize, track, determine 
authorized and unauthorized file access and disclosure, link hard copy information 
with electronic files including email, and report on how information flows in and out 
of an organization. 

30 Setting proper use and security policies are a method to create order and set 

standards for network use. Policies are ineffective unless users understand and 
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comply with the policies. Unfortunately, most organizations do not have tangible 
proof when, and if, a network-based policy violation has occurred until long after the 
damage has been done. Due to the technical nature of network policy violations, 
policy enforcement officers may not have adequate knowledge, skill, and evideince 
5 to properly execute a policy violation claim. Cases of selective policy enforcement 
can occur if policy violations are not conisistently reported, filed, investigated, and 
resolved. 

Employees often view e-mail as equivalent to a private conversation. This 
view often does not reflect the ofGcial position of the organization. These 

1 0 communications reflect preliminary thoughts or ideas that have not been reviewed 
by the organization and typically only reflect the personal opinion of the partiei 
involved. Yet, since employees of the organization create these communications, 
courts and regulatory agencies have concluded that employee communications can 
reflect the organization's view. There is a finrther need for network communications 

1 5 software programs that offers robust policy compliance assistance, policy 
effectiveness monitoring and reporting. 

There is a need for an automated system to assist policy enforcement officers 
with proper policy enforcement procedure, and methods to measure policy 
effectiveness, appropriateness, user system activity and compliance. 

20 

SUMMARY OF THE INVENTION 
To overcome the limitations in the prior art described above, and to 
overcome other limitations that will become apparent upon reading and 
understanding the present specification, the present invention discloses a method and 

25 apparatus for maintaining policy compliance on a computer network. A system in 
accordance with the principles of the invention performs the steps of electronically 
monitoring network user compliance with a network security policy stored in a 
database, electronically evaluating network security policy compliance based on 
network user compliance, and electronically undertaking a network policy 

30 compliance action in response to network security policy compliance. The network 
policy compliance actions may include electronically implementing a different 
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network security policy selected from network security policies stored in the 
database, generating policy effectiveness reports, and providing a retraining module 
to network users. 

One preferred embodiment of the present invention includes notifying a 
S network user and a policy administrator, providing a retraining module to the 

network user, and restricting the network user's network access rights in response to 
monitoring network user compliance. 

These and various other advantages and features of novelty which 
characterize the invention and various preferred embodiments are pointed out with 
10 particularity in the claims which are annexed hereto and which form a part hereof. 
However, for a better understanding of the invention, its advantages, and the objects 
obtained by its use, reference should be made to the drawings which form a further 
part hereof, and to accompanying descriptive matter, in which there is illustrated and 
described specific examples of apparatus in accordance with preferred embodiments 
15 of the invention. 

BRIEF DESCRIPTION OF THE DRAWINGS 
Referring now to the drawings in which like reference nimibers represent 
corresponding parts throughout: 
20 FIG. 1 is a block diagram illustrating a policy effectiveness system according 

to an embodiment of this invention; 

FIG. 2 is a block diagram illustrating the steps performed by the policy 
training module according to an embodiment of this invention; 

FIGS. 3A-3C are block diagrams further illustrating the steps performed by a 
25 policy training module according to an embodiment of this invention; 

FIG. 4 is a block diagram further illustrating the steps performed by a policy 
training module in administering a policy training exam; 

FIG. 5 is a block diagram further illustrating the operation of a policy 
effectiveness system according to an embodiment of this invention; 
30 FIG. 6 is a block diagram illustrating the steps performed by a policy 

compliance and reporting module according to an embodiment of this invention; 
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FIG. 7 is a block diagram further illustrating the steps performed by a policy 
compliance and reporting module according to an embodiment of this inventiori; 

FIG. 8 is a block diagram illustrating the appeal process performed by a 
policy compliance and reporting module according to an embodiment of this 
5 invention; 

FIG. 9 is a block diagram further illustrating a policy effectiveness system 
according to an embodiment of this invention; 

Figure 10 is an exemplary screen display illustrating the opening screei^ for 
policy training according to an embodiment of the invention; 
10 Figure 1 1 is an exemplary screen display illustrating the terms of the 

software licensing agreement according to an embodiment of the invention; 

Figure 12 is an exemplary screen display illustrating the terms of the 
continuation of the software licensing agreement according to an embodiment of the 
invention; 

15 Figures 13 and 14 are exemplary screen displays illustrating the terms of the 

privacy agreement according to an embodiment of the invention; 

Figure 15 is an exemplary screen display illustrating the choosing a screen 
identity according to an embodiment of the invention; 

Figure 16 is an exemplary screen display illustrating assigning the user a 
20 session number according to an embodiment of the invention; 

Figure 17 is an exemplary screen display illustrating the introduction tQ the 
virtual facilitator according to an embodiment of the invention; 

Figure 18 is an exemplary screen display illustrating the suggested policy 
according to an embodiment of the invention; 
25 Figure 19 is an exemplary screen display illustrating the network user 

discussion options according to an embodiment of the invention; 

Figure 20 is an exemplary screen display illustrating group policy 
disctissions according to an embodiment of the invention; 

Figure 21 is an exemplary screen display illustrating policy writing according 
30 to an embodiment of the invention; 

Figure 22 is an exemplary screen display illustrating the network user 
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discussion options according to an embodiment of the invention; 

Figure 23 is an exemplary screen display illustrating the policy consensus 
according to an embodiment of the invention; 

Figure 24 is an exemplary screen display illustrating the policy training 
5 options according to an embodiment of the invention; 

Figure 25 is an exemplary screen display illustrating the policy exam 
according to an embodiment of the invention; 

Figure 26 is an exemplary screen display illustrating a training feedback and 
evaluation form according to an embodiment of the invention; 
10 Figure 27 is an exemplary screen display illustrating an Appropriate Use 

Agreement/Employee Agreement form according to an embodiment of the 
invention; 

Figure 28 is an exemplary screen display illustrating an Appropriate Use 
Agreement/Employee Agreement form according to an embodiment of the 
15 invention; 

Figure 29 is an exemplary screen display illustrating the end of the training 
according to an embodiment of the invention; 

Figure 30 is an exemplary screen display illustrating the policy compliance 
and reporting according to an embodiment of the invention; 
20 Figure 3 1 is an exemplary screen display illustrating the User Profile 

according to an embodiment of the invention; 

Figure 32 is an exemplary screen display illustrating Email Compliance 
according to an embodiment of the invention; 

Figure 33 is an exemplary screen display illustrating Document Management 
25 according to an embodiment of the invention; 

Figure 34 is an exemplary screen display illustrating Software Compliance 
according to an embodiment of the invention; 

Figure 35 is an exemplary screen display illustrating the audit function 
according to an embodiment of the invention; 
30 Figure 36 is an exemplary screen display illustrating Netv^ork Non- 

Compliance Notice according to an embodiment of the invention; 
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Figure 37 is an exemplary screen display illustrating a Network Compliance 
Action Notice according to an embodiment of the invention; 

Figure 38 is an exemplary screen display illustrating a policy compliance 
violation report according to an embodiment of the invention; 

Figure 39 is an exemplary screen display illustrating a network policy action 
notice according to an embodiment of the invention; . ^; . 

Figure 40 is an exemplary screen display illustrating a policy knowledge 
query according to an embodiment of the invention; 

Figure 41 is an exemplary screen display illustrating a policy compliance 
violation report according to an embodiment of the invention; 

Figure 42 is an exemplary screen display illustrating a policy compliance 
violation code and report according to an embodiment of the invention; 

Figure 43 is an exemplary screen display illustrating a System Violation 
Notice Email and Snail Mail Notice according to an embodiment of the invention; 

Figure 44 is an exemplary screen display illustrating a Subsequent Action 
Report according to an embodiment of the invention; 

Figure 45 is an exemplary screen display illustrating The Appeal Process 
according to an embodiment of the invention; 

Figure 46 is an exemplary screen display illustrating policy effectiveness 
reports according to an embodiment of the invention; 

Figure 47 is an exemplary screen display illustrating policy effectiveness 
reports according to an embodiment of the invention; 

Figure 48 is an exemplary screen display illustrating a policy effectiveness 
action according to an embodiment of the invention; and 

Figure 49 is an exemplary screen display illustrating policy resources 
according to an embodiment of the invention. 

DETAILED DESCRIPTION OF THE INVENTION 
In the following description of the exemplary embodiments, reference is 
made to the accompanying drawings that form a part hereof, and in which is shown 
by way of illustration a specific embodiment in which the invention may be 
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practiced. It is to be understood that other embodiments may be utilized and that 
structural changes may be made without departing from the scope of the present 
invention. 

The present invention provides a method and apparatus for maintaining 
5 policy compliance on a computer network. 

FIG. 1 is a block diagram illustrating policy effectiveness system 100 
according to an embodiment of this invention. The hardware generally 
implementing the policy effectiveness system 100 may include computers having 
processors and memories distributed over a network as is well-known in the art. The 
1 0 memory may include RAM or fixed storage. The program steps implementing this 
invention are stored in the memory and executed by the computer processor. The 
present invention is may be implemented using an intranet based application that can 
be stored on central servers, waiting to be called up and manipulated via a Web 
browser from any location. Those skilled in the art will recognize that a variety of 
1 5 configurations can be used without departing from the scope of the present invention 
and that a wide variety of distributed and multi-processing systems may be used. 
Each of the blocks of FIG. 1 will be introduced, followed by a detailed explanation 
of each block. 

Block 105 represents a policy training module for developing network 

20 security policies. 

Block 110 represents a policy compliance monitor for monitpring 

compliance across the network. 

Block 1 1 5 represents a policy compliance and reporting module for 
managing information received firom the compliance monitor. 
25 Block 120 represents the policy effectiveness module for managing the 

policy training module 105 and compliance monitor 110. 

Block 130 represents the database for storing policy and compliance 
information for the policy effectiveness system 100. 

Block 135 represents the document management system of the compliance 

30 monitor 130. 
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Block 140 represents the email compliance system of the compliance 
monitor 130. 

Block 145 represents the policy resource module for storing and managing 
policy resources. 

Block 150 represents the user profile module for storing user information. 

POLICY TRAINING MODULE 105 

The policy training module 105 typically is an interactive, multimedia, 
policy awareness training program which helps employees gain a better ^ 
understanding of the basic concepts of network security, email and Internet 
technologies. 

The policy training module 105 presents the network user with a suggested 
network policy the organization wishes to implement. Policy training module 105 is 
designed to help the user understand potential risks that an organization faces if a 
policy is not implemented, the potential advantages and disadvantages of the policy 
in question, and the management and ethical principles affecting the potential policy 
in question. The network policies are generated by guidelines created from 
employee feedback obtained during a training session. 

The policy training module 105 is comprised of several templates. When the 
system is first implemented, policy consultants work with management personnel 
within an organization to determine the organization's policies for the initial training 
sessions, which may relate to, for example, an entire enterprise or a specific k 
department of an enterprise. The initial policies are entered into a policy training 
database 130 and are the foundation for the initial training programs. As is further 
described below, after the initial policy training session, the policy effectiveness 
system 100 will analyze all of the information gathered from the areas it monitors 
and compare it to each network user profile 150 to determine the policy training 
needs of individual network users. Then, the system customizes the policy training 
materials for the user training sessions. 

To access policy training materials, the user is prompted to enter a password 
and hardware token. The user may be shown a hypertext list of policy training 
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options. The training options may be, for example, to enter a policy training session, 
review for a policy exam, or take a policy exam. 

Policy Training Session 
5 The policy training session may combine interactive multimedia, group 

policy development discussions, and policy exercises with individual policy review 
and feedback screens. The result is typically employee generated policy guidelines 
for network security policies. 

In the preferred embodiment, the computer screen for the policy training 
10 session is divided into three frames. The divided screen gives the user the option to 
review and answer policy recommendation questions, see and participate in group 
policy discussions, and pause the interactive group policy discussion session. After 
pausing the interactive group policy discussion section, the user may review 
dynamic policy recommendations and statistics from previous policy sessions, 
1 5 request additional information on a topic or subject presented during tiie previous 
policy session, or seek technical and product support. 

The policy training module 105 collects and records both individual and 
group policy recommendations. The policy training module 105 uses the user's 
policy recommendations as a benchmark for other users to use during policy 
20 creation/training sessions, and to track policy training effectiveness. 

FIG. 2 is a block diagram illustrating the steps performed by the policy 
training module according to an embodiment of this invention. 

Block 200 represents the beginnmg of the policy training process. Figure 10 
is an exemplary screen display illustrating the opening screen for policy training 
25 according to an embodiment of the invention. The user may be asked to read a 

licensing agreement and indicate if he accepts or declines the terms of the agreement 
by clicking on the appropriate icon. Figure 1 1 is an exemplary screen display 
illustrating the terms of the software licensing agreement according to an 
embodiment of the invention. Figure 12 is an exemplary screen display illustrating 
30 the terms of the continuation of the software licensing agreement according to an 
embodiment of the invention. A message statmg the privacy rights of the user 
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typically remains on the screen until the user clicks on an accept or decline icon. 
Figures 13 and 14 are exemplary screen displays illustrating the terms of the privacy 
agreement according to an embodiment of the invention. 

Block 202 represents the policy training module 105 presenting the network 
5 user with screen personality options. A screen personality represents a person who 
is executing the training session under an assumed screen name and identity, Ik 
other words, a screen relates to a real person taking a training session. The user is 
typically presented with a screen and is asked to choose a screen name and identity 
(e.g.. Avatar) from a list of screen personalities for the training session. Such screen 
10 personalities give users greater privacy and the freedom to answer policy questions 
without fear of retaliation from other employees participating in the program. Figure 
1 5 is an exemplary screen display illustrating the choosing a screen identity . 
according to an embodiment of the invention. 

Block 204 represents the policy training module 105 recording the network 
1 5 user's screen personality in the policy effectiveness databeise. 

Block 204 represents the policy training module 105 assigning the user a 
session number. Figure 16 is an exemplary screen display illustrating assigning the 
user a session number according to an embodiment of the invention. 

Block 206 represents the policy training module 105 recording the network 
20 user's session number. The session number may be used to track and reference the 
training session in the policy effectiveness module. 

Block 208 represents the policy training module 105 presenting the network 
user with a virtual training room. The user may be prompted to click on an icon to 
enter the virtual training room. The virtual training room is typically similar to an 
25 Internet chat room. 

Block 208 represents the policy training module 105 presentmg a virtual 
facilitator. In a preferred embodiment, the user is introduced to the program's 
virtual facilitator who introduces the training participants to each other, explains the 
training rules, and assures the training program remains on schedule. The virtual 
30 facilitator is typically stored in the policy training database 130. Figure 17 is an 
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exemplary screen display illustrating the introduction to the facilitator according to 
an embodiment of the invention. 

In the preferred embodiment, a maximum of 5 screen personalities can 
participate per training session. Block 212 is a decision block representing the 
5 policy training module 105 determining if there are less than three participants 
registered for a session. If so, block 220 represents the policy training module 105 
determining the nvimber of virtual personalities needed for the system; otherwise, 
control is passed to decision block 214, The system monitors the number of screen 
personalities registered for a training session. The system records each user's 
10 training session including the user's policy suggestions, individual feedback and 
onscreen comments provided during the training session. Block 222 the system 
generates a virtual personality to participate in the training session. A virtual 
personality may be implemented in the form of a template having fields including 
information copied from a user's previous training session. When the policy training 
1 5 module 105 determines tiiat a virtual personality is needed for a training session, the 
present system may be implemented so that the module 105 launches an algorithm to 
generate a virtual personality to participate in the training session. The algorithm 
copies information from the policy reconmiendation database 224 stored in database 
130. Block 226 represents the policy training module 105 storing the virtual 
20 personality in the database 224. The policy recommendation database 224 is 
comprised of policy information previously submitted by a screen personality 
including policy suggestions, individual feedback and onscreen comments provided 
during previous training sessions. Virtual personality information obtained during 
previous training session is retrieved from the policy recommendation database 224. 
25 The algorithm copies the policy information from the previous policy modules, 

positions and scripts the policy information for the present training session. Script is 
defined as positioning and pacing the policy information per policy module to make 
it appear as though it is occurring in real-time. This provides the user with a virtual 
personality and an interactive, simulated real-time training experience without the 
30 user being dependent upon the ayailability of others for interaction, discussions and 
training. After introductions, the user is typically prompted to click on eitiier an 
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agree or decline icon to indicate his understanding of the training rules and to 
indicate his readiness to proceed. Block 220 represents the policy training module 
105 generating a policy. 

i. 

Block 214 is a decision block representing the policy training module 105 
determining if there are less than five screen personalities registered for the session. 
If so, block 216 represents the policy training module 105 dividing the participants 
into two sessions; otherwise, control is passed to block 220 which represents the 
policy training module 105 generating a policy. Block 216 represents the policy 
training module 105 assigning the participants a new session mmiber. 



The policy training process: 

FIGS. 3A-3C are block diagrams further illustrating the steps performed by 
the policy training module 105 in performing the generating a network security 
policy step represented by block 220 according to an embodiment of this invention; 

Block 300 represents the policy training module 105 indicating that the 
network user is ready to begin policy training by presenting the network tisers^^with 
suggested policy information. 

Block 302 represents the policy training module 105 receiving suggested 
policies from the network users. Figure 18 is an exemplary screen display 
illustrating the suggested policy according to an embodiment of the invention. The 
suggested policy information typically is stored in a policy training database 130. 
The user is asked to review the policy information and a policy suggestion for a 
limited period of time. The policy training module 105 collects a policy suggestion 
from each network user's policy review session. 

Block 304 represents the policy training module 105 recording all individual 
policy recommendations. 

Block 306 represents the policy training module 105 prompting the network 
user to join a group discussion after the network user has reviewed the information 
on his own. The network user indicates his readiness to join the group discussion, 
such as by clicking an icon. The network user's signal may be sent to the other 
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participants* screens. Figure 19 is an exemplary screen display illustrating the 
network user discussion options according to an embodiment of the invention. 

Block 308 represents the policy training module 105 notifying the other 
participants that a network user is prepared to enter the group session. Once the 
5 individual network users are ready to discuss the policy, the facilitator begins the 
session monologue and monitors the session's content and time. 

Block 310 represents the policy training module 105 retrieving the electronic 
facilitator from the database 120. The electronic facilitator serves as a moderator for 
the training module. For example, the electronic facilitator prompts the users for 
1 0 input and monitors the time spent on each issue. 

Block 312 represents the policy training module 105 connecting individual 
network users to the policy training chat room. 

Blocks 314,316 and 3 1 8 represent the individual network user computers 
connected to the policy chat room of the policy training module 1 05. One or more 
15 individual network user's policy recommendations may be displayed to the group. 

Block 322 represents the policy training module 105 displaying network user 
policy recommendation to the group. The policy recommendations may be shown in 
a different color and font. Figure 20 is an exemplary screen display illustrating group 
policy discussions according to an embodiment of the invention. The individual 
20 recommendations are used to develop a group policy consensus. 

From the discussion, the group confers, online, to write a policy 
recommendation. All group participants can view the policy recommendations and 
group discussions from previous policy training sessions. Figure 21 is an exemplary 
screen display illustrating policy writing according to an embodiment of the 
25 invention. 

Block 324 is a decision block representing the policy training module 105 
querying the user regarding whether he wants more policy information. If so, block 
326 represents the policy training module 105 retrieving the policy training 
information and displaying it to applicable network users; otherwise block 328 
30 represents the policy training module 105 collecting policy recommendations from 
the group. The group confers, online, to write a policy reconmiendation. The policy 
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training module 105 collects and records all group policy recommendations. Figure 
22 is an exemplary screen display illustrating the network user discussion options 
according to an embodiment of the invention. 

Block 330 represents the policy training module 105 recording the group 
5 policy recommendations in the policy reconunendation database 224. 

Block 332 represents the policy training module 105 calculating and ranking 
the group responses in the policy training database. For example, the policy with the 
most user votes may be the policy of group consensus. 

Block 334 is a decision block representing the policy training module 105 
10 determining if a policy consensus has been achieved. If so, then block 336 
represents the policy training module 105 displaying the group consensus; 
otherwise, control typically is returned to block 322. If there is a tie for group 
consensus, the system requires network users to review the policy options andixe- 
vote. Each user's policy information is displayed the group reconsiders their 
IS recommendations and attempts to come to a group policy consensus. 

The process illustrated in blocks 322 through 334 is repeated until a group 
policy consensus is achieved. 

Block 336 represents the policy training module 105 displaying policy 
consensus. Figure 23 is an exemplary screen display illustrating the policy consensus 
20 according to an embodiment of the invention. 

Block 338 represents the policy training module 105 recording the policy 
consensus. The process of developing a consensus policy is repeated until all of the 
policy modules have been reviewed and addressed. 

Block 340 is a decision block representing the policy training module 105 
25 determining if there are no additional policy modules to complete. 

If so, block 300 represents a repeat of the policy generation process; ^ 
otherwise, block 342 represents the policy training module 105 presenting a 
suggested policy to the network user and assembling and recording the group 
consensus policies from each policy module. 
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The policy training module 105 assembles and records the group consensus 
policies from each policy module in the network security policy database 130. 

Block 344 represents the end of the policy generation process of the policy 
training module 105 

5 When the training session is completed, the network user is given the options 

to start the policy exam, review policy training materials, or end the session. Figure 

24 is an exemplary screen display illustrating the policy training options according 
to an embodiment of the invention. 

10 Start the policy exam 

FIG. 4 is a block diagram further illustrating the steps performed by the 
policy training module in administering a policy training exam according to an 
embodiment of the present invention. The network user is given an online policy 
exam to reinforce the information presented in the policy training session. 
1 5 Block 400 represents the policy training module 105 receiving a request for a 

policy training exam from the network user. 

Block 402 represents the policy training module 105 retrieving a policy exam 
from the policy training database 130 and presenting it to the network user. Figure 

25 is an exemplary screen display illustrating the policy exam according to an 
20 embodiment of the invention. Once the network user completes the exam, he is 

prompted to send the exam to policy effectiveness 120 where the information 

regarding the user's taking of the exam is recorded. 

Block 404 represents the policy training module 105 receiving the exam 

answers from the network user and tabulating the network user's score. During the 
25 exam tabulation period, the network user is asked to fill out a policy training 

feedback and evaluation form. 

Block 406 represents the policy training module 105 retrieving a policy 

training feedback and evaluation form from the policy training database 130 and 

sending it to the network user. Figure 26 is an exemplary screen display illustrating 
30 a training feedback and evaluation form according to an embodiment of the 
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invention. The network user completes the policy training feedback and evaluation 

form and returns it to the policy training module 105. 

Block 408 represents the policy training module 105 storing the policy 

training feedback and evaluation form in the User's Profile database 150. ^ 

Block 410 represents the policy training module 105 sending the network user 

his exam score after the feedback and evaluation form is completed. 

After the employee completes the policy building session, the policy training 

module 105 may request that the user sign an Appropriate Use Agreement/Employee 
Agreement designed to limit the organization's liability. Figure 27 is an exemplary 
screen display illustrating an Appropriate Use Agreement/Employee Agreement 
form according to an embodiment of the invention. Figxare 28 is an exemplary 
screen display illustrating an Appropriate Use Agreement/Employee Agreement 
form according to an embodiment of the invention. Block 412 represents the policy 
training module 105 sending the network user an Appropriate Use 
Agreement/Employee Agreement. The user reads and signs the Agreement. The 
user returns the Agreement to the policy training module 105. The signed 
Agreement is kept in the User Profile database 200 and a copy is emailed to tfie user 
for his records. 

Block 414 represents the policy training module 105 receiving the Agreement 
and storing it in the User Profile 150. 

Block 416 represents the policy training module 105 sending an email 
message to the network user with a copy of the Agreement attached. 

Block 418 represents the end of the policy exam process. Figure 29 is an 
exemplary screen display illustrating the end of the training according to an 
embodiment of the invention. If the user fails the exam, the policy training module 
105 will ask him if he wants to retake the exam, review policy training materials, or 
end the session. 

POLICY COMPLIANCE MONITOR 110 

The Policy Compliance Monitor 1 10 works with the Policy Effectiveness 
Module 120 to provide network user compliance monitoring with network security 
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policy stored in a database, it electronically evaluates network security policy 
compliance based on network user compliance, and undertakes a network policy 
compliance action in response to network security policy compliance. Network user 
compliance monitoring is defined as monitoring network activity to insure users are 
5 in compliance with the organization's network security policies. Network security 
policy is a set of rules designed to limit an organization's risk and liability. 

FIG. 5 is a block diagram further illustrating the operation of the policy 
effectiveness system according to an embodiment of this invention. 

The policy compliance monitor oversees user profile, email compliance, 
1 0 internet compliance, document management and software compliance functions to 
collect network user security policy compliance activities. Figure 30 is an 
exemplary screen display illustrating the policy compliance and reporting according 
to an embodiment of the invention. 

Block 110 represents the policy compliance monitor of the policy 
IS effectiveness system 100. 

Block ISO represents the user profile module of the policy effectiveness 
system 100. The user profile module ISO is a database comprised of information 
about network users. For example, the user profile module ISO may contain 
information about network user policy compliance history, employment history, and 
20 network identification information. Figure 3 1 is an exemplary screen display 
illustrating the User Profile according to an embodiment of the invention. 

Block 140 represents the email compliance module of the policy 
effectiveness system 100. The email compliance module 140 collects information 
on network users' email use activity. Figure 32 is an exemplary screen display 
2S illustrating email compliance according to an embodiment of the invention. 

Block 13S represents the document management module of the policy 
effectiveness system 100. Figure 33 is an exemplary screen display illustrating 
Document Management according to an embodiment of the invention. The 
document management module 135 collects information on documents in the 
30 system. This may include document history, document authenticity, network user 
access to documents, and document access and disclosures. 
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Block 500 represents the software compliance module of the policy 
effectiveness system 100. The software compliance module 500 collects 
information on how network users utilize software on the network. Figure 34 is an 
exemplary screen display illustrating Software Compliance according to an 
5 embodiment of the invention. 

Block 502 represents the audit function of the policy effectiveness system 
100. The audit function collects information from all of the policies monitored by 
the policy compliance monitor 1 1 0. Each monitored policy is assigned a value.; . 
representing a target baseline compliance level for network policy compliance 

1 0 ("network policy compliance"). In the preferred embodiment, the numeric value 
assigned to each monitored policy is 95, representing that for each policy 95% user 
compliance is required. Each network user compliance activity has a numeric value 
the system monitors representing a target baseline compliance level for user policy 
compliance ("user policy compliance"). 

15 Block 504 represents the network security policy compliance database of the 

database 130. The baseline compliance level assigned to each monitored policy is 
stored in the network security policy compliance database 504 of the database 130. 
The audit function is responsible for reviewing network user compliance and 
network security policy. 

20, Figure 35 is an exemplary screen display illustrating the audit function 

according to an embodiment of the invention. Block 506 represents the network 
security policy database. The network compliance value is monitored in relation to 
the xiser compliance value stored in the network security policy database 506. 

Block 508 is a decision block representing the policy effectiveness system 

25 100 analyzing the network policy compliance value in relation to the user 

compliance policy value. If the user policy compliance value is greater than or equal 
to the network policy compliance value, then block 120 represents the policy 
effectiveness system notifying the policy effectiveness module 120 that the network 
is in compliance. Otherwise, if the network policy compliance value is greater than 

30 the user policy compliance value, the policy compliance monitor 110 measures the 
difference between the network policy compliance value and the user policy 
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compliance value and undertakes a network compliance action in response to that 
difference. Alternatively, the policy compliance monitor could undertake a network 
a compliance action anytime a policy violation occurred. 

Figure 36 is an exemplary screen display illustrating Network Non- 

5 Compliance Notice according to an embodiment of the invention. Each policy is 
associated with a corresponding group of network policy compliance actions ranging 
from a mild (e.g., notifying a network user), level two (e.g. notifying the network 
user and a policy administrator), level three (e.g., providing a retraining module to a 
network user, restricting a network user's network access rights) and a level four 

10 action (e.g., restricting the network user's network access rights.) Each compliance 
action in the group is assigned a value related to a numeric value that may be 
reported from monitoring network user compliance. The numeric value assigned is 
based on the severity of the network policy compliance violation, i.e. the difference 
between the network policy compliance value and the user policy compliance value. 

1 5 Upon recording the difference between the network policy compliance value 

and the user policy compliance value, the policy compliance and reporting module 
1 15 records this information in the network security policy database 506 and begins 
undertaking the appropriate network compliance action. 

For example, an organization may have a personal email use policy. The 

20 personal email use policy may limit each user to sending a maximum of 20 personal 
email messages per day. The system assigns the numeric value of 95 to the personal 
email messages policy. A value of 100 is the optimum network policy compliance 
value. The compliance monitor collects information on network user compliance for 
personal email use. If an individual sends 25 email messages, the system records a 

25 user policy compliance value of 90. The user policy compliance value of 90 is 

compared to the network policy compliance value of 100. The difference of 5 (95- 
90) indicates to the policy effectiveness system 100 that a network policy 
compliance action may be taken. In this example, a network user compliance value 
of 5 may tell the system to execute a network compliance action. 

30 In the preferred embodiment, the system has four action levels. Each action 

level may be undertaken in response to a range of differences in compliance values. 
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Figure 37 is an exemplary screen display illiistrating a Network Compliance Action 
Notice according to an embodiment of the invention. 

At a first action level, the system may send an email notifying the network 
user to cease and desist the non-compliant activity. 
5 At a second action level, the system may prompt the system administrator to 

follow screen prompts to initiate procedures for the infiaction. The policy 
effectiveness system 100 notifies the network user and a system administrator. 
Email and surface mail are automatically sent to the alleged violator and the system 
administrator. The message may ask the alleged violator to discontinue the 
10 inappropriate behavior or to reread the Intranet-base Policy Manual. The policy 
effectiveness system 100 records if the user visits the electronic site of the Polity 
Manual. 

At a third action level, the policy effectiveness system 100 may file a policy 
violation report and launch an investigation. The policy effectiveness system 100 

1 5 sends email and surface mail to the alleged violator and the system administrator 
informing them of the violation. A policy retraining module may be the most likely 
course of action. At the third action level, the actions of the second infi-action are 
initiated and additionally an immediate referral is made to the appropriate policy 
officer for review and action. 

20 At the fourth action level, the policy effectiveness system 1 00 may restrict 

the network user's network access rights and prompt the system administrator to 
either begin investigation procedures and/or initiate a signal to the policy knowledge 
base to determine the reconunended course of action. 

Block 510 represents the policy effectiveness system 100 imdertaking k 

25 network policy compliance action. The policy effectiveness system 100 sends a 
signal to policy compliance and reporting 1 15 to record the non-compliant network 
user activity, 

POLICY COMPLIANCE AND REPORTING 115 

30 The policy compliance and reporting module 115 provides automated policy 

monitoring, policy violation procedures and reporting, it tracks policy investigations 

20 
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and generates policy investigation reports. These procedures work in conjunction 
with existing policy compliance reporting, discipline and grievance procedures to 
uphold the organization's technology policies. 

5 Compliance 

The policy compliance and reporting 11 S monitors and records user and 
network system activities audit procedures and reporting, policy violation 
procedures/investigations/reporting, compliance/non-compliance status reporting. 
FIG. 6 is a block diagram illustrating the steps performed by a policy 

10 compliance and reporting module according to an embodiment of this invention. 
The policy compliance and reporting process begins when the policy 
compliance and reporting 115 receives a signal from the compliance monitor 110 
that a network compliance action has been taken. Block 510 represents that a 
network compliance action has been taken by the policy effectiveness system 100. 

1 5 Block 600 represents the policy compliance and reportmg 115 sending an 

email or pager message to the system administrator notifying the administrator that a 
network user compliance violation has occurred. The email message attaches a 
policy compliance violation report (file) to the email and instructs the system 
administrator to follow the compliance reporting procedures. Figure 38 is an 

20 exemplary screen display illustrating a policy compliance violation report according 
to an embodiment of the invention. The email instructs the system administrator to 
log into the system, present a password and hardware token to access the policy 
violation reporting procedures and indicates the screen option to choose. The screen 
options available to the system administrator may include: file a policy compliance 

25 violation report, investigate a policy compliance violation report, review audit and 
system reports, the appeal process, review a xiser profile, policy resources, and 
policy effectiveness reports. 

File a policy violation report 
30 In a preferred embodiment, a screen is displayed to the system administrator 

indicating a network user policy compliance violation has occurred and a network 
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user compliance action, level two or greater, has been taken. The system 
administrator is instructed to click on an icon to access the network user policy 
compliance violation infomiation and document the violation. Figure 39 is an 
exemplary screen display illustrating a network policy action notice according to an 
5 embodiment of the invention. 

Block 503 represents the policy compliance and reporting 115 retrieving the 
network user policy compliance violation documentation from the policy 
effectiveness module 120. Policy compliance and reporting 115 advises the syistem 
administrator on how to execute the designated network user compliance violation 
10 reporting procedures. This is achieved by prompting the system administrator 

through the reporting process and presenting a policy knowledge base. Figure 40 is 
an exemplary screen display illustrating a policy knowledge query according to an 
embodiment of the invention. A support icon is also available if the user needs to 
discuss a specific procedure with a Policy Consultant. . 
1 5 Block 604 represents the policy knowledge database of the policy 

compliance and reporting 115. The policy knowledge database is comprised of 
automated network user policy compliance violation docxmientation. This may 
include network policy violation report forms, detailed reporting instructions, and 
investigation procedures checklist. The policy compliance and reporting 115 
20 analyzes the network user policy compliance violation information from the policy 
knowledge database 604 and determines if an investigation action is needed. ^ 
After the system analjrzed the violation information, a policy violation 
investigation report form is displayed on the user screen. Figure 41 is an exemplary 
screen display illustrating a policy compUance violation report according to an 
25 embodiment of the invention. All reports are documented in read-only format and all 
modifications and changes to the non-compliance reports are an addendimi to the 
initial report. The system administrator is asked to supply the foUowdng network 
compliance violation information regarding the claim including the network user's 
name: E-mail address, title, department, mail station, type of violation (non- 
30 compliance drop down box), date of occurrence, date of report, and official report of 
the incident (MIS, the user, or policy officer). 
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A code is assigned to the policy compliance violation report. Figure 42 is an 
exemplary screen display illustrating a policy compliance violation code and report 
according to an embodiment of the invention. Block 606 represents the policy 
compliance and reporting US assigning a code to the policy compliance violation 

5 report. The code is used to identify and track the policy compliance violation report 
in the policy effectiveness database. The system administrator, the policy officer and 
the network user are the parties that may access the policy compliance violation 
report. To access the policy compliance violation report the system administrator, 
the policy officer and the network user are given the access code to the report and 

10 are registered in the system. While completing the report, the system administrator 
can access a network user's policy compliance report to review their network 
activity history. All report conununications, including the policy compliance 
violation report, may automatically be sent via encrypted e-mail to a third party 
organization and are kept in escrow. This insures the organization cannot access the 

IS policy compliance reports in the system to change the content of the reports and 
insure that they follow due process procedures. 

The system administrator may contact the policy officer to schedule an in- 
person appointment with the network user. Block 608 represents the policy 
compliance and reporting 115 recording the appointment. Block 610 represents the 

20 policy compliance and reporting 1 15 scheduling the appointment. A hyperlink to a 
scheduling module is activated. An example of a schedule module is Microsoft's 
Schedule Plus. Several meeting options are listed on the violation report to be e- 
mailed and surface mailed to the network user. Figure 43 is an exemplary screen 
display illustrating a System Violation Notice Email and Snail Mail Notice 

25 according to an embodiment of the invention. The system monitors and records the 
reporting and investigation process in the policy effectiveness database. 

All registered parties are automatically e-mailed the policy compliance 
violation report, all correspondence related to the report and the appointment date. 
Block 508 the report information is distributed. Copies of policy compliance 

30 violation report is automatically sent to policy effectiveness, e-mailed to policy 

officer, surface mailed to the network user, e-mailed to the network, and surface mail 
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copy printed and sent to the network user. The surface mail and e-mail reports are 
form letters that may include an Internet address to help inform the network user 
about the policy compliance violation reporting process. Policy compliance and 
reporting 115 tracks and monitors the status of the complaint by monitoring the 
S scheduling module and tracking where the report is in the system. Block 612 \, 
represents the policy compliance and reporting 115 distributing the policy 
compliance violation report information. 

Printed copies of the policy compliance violation report, correspondence, and 
related dociunents have a watermark printed in the header of the print out of the 
10 policy compliance violation report with the words "corporate record" printed on the 
top comer of the document. The printout may include the date the document was 
created, who created the document, the version number of the report and the file 
path. This is used to insure the authenticity of the policy compliance violation 
report. 

15 

Subsequent Action Report 

FIG. 7 is a block diagram further illustrating the steps performed by the 
policy compliance and reporting module 115 according to an embodiment of this 
invention in generating a subsequent action report. Figure 44 is an exemplary screen 

20 display illustrating a Subsequent Action Report according to an embodiment of the 
invention. Block 700 represents the policy compliance and reporting module 115 
receiving a message fix)m the schedule module to begin subsequent action 
procedures. The policy officer, the system administrator and the network user are 
automatically reminded via e-mail of the requirement to individually file subsequent 

25 meeting reports with the system. Block 702 represents the policy compliance and 
reporting module 115 distributing notices via email. The policy officer, system 
administrator and the network user are required to present login and password/token 
information to file subsequent action reports with the system and to verify a policy 
compliance violation meeting occurred. 

30 The network user is also asked to sign an agreement indicating he attended 

the policy enforcement meeting and reviewed the policies of the organization. ' The 
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system administrator and policy officer are asked to confirm and document that the 
meeting took place. All parties are complete the forms. Block 704 represents the 
policy compliance and reporting module 115 retrieving subsequent action reports 
from the parties. The system stores the documents in the policy effectiveness 
5 database. 

The system administrator is prompted by the system to confirm in the 
subsequent action report form. The subsequent action form indicates if the network 
user policy compliance violation claim is still under investigation, pending or is 
closed. 

10 Block 706 represents the policy compliance and reporting module 115 

storing information related to the subsequent action reports. The policy compliance 
and reporting module 1 15 monitors the status of all network user compliance 
violations to insure that violation reports are properly reported and managed. 

15 The Appeal Process 

FIG. 8 is a block diagram illustrating the appeal process perfomxed by a 
policy compliance and reporting module according to an embodiment of this 
invention. Figure 45 is an exemplary screen display illustrating The Appeal Process 
according to an embodiment of the invention. After filing the subsequent action 

20 report, the system gives the network user the opportxmity to respond to appeal the 
network compliance violation. Block 800 represents the policy compliance and 
reporting module 115 prompting network user with the appeal option. Block 802 
represents the policy compliance and reporting module 1 15 receiving a signal to 
begin appeal process. The network user is given the option of choosing an appeal 

25 facilitator from the organization. Appeal facilitators are employees of the 

organization randomly chosen by the system to act a facilitator for the appeal 
process. The policy compliance and reporting module 115 reviews network user 
profiles and chooses the network users with the lowest network user policy 
compliance violation records to be facilitator candidates. Block 804 represents the 

30 policy compliance and reporting module 1 1 5 retrieving appeal facilitator 

information from the policy compliance and reporting database. The user chooses 
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the facilitator from the Appeal screen. The system records the process and 
automatically sends an email to the facilitator. Block 806 represents the policy 
compliance and reporting module 1 1 5 recordmg the facilitator. Block 808 ^ 
represents the policy compliance and reporting module 115 assigning a password to 
5 the facilitator. Block 8 1 0 represents the policy compliance and reporting module 
1 15 sending an email to the facilitator. The e-mail explains the appeals process to 
the facilitator and provides the facilitator with the passwords needed to access to the 
network user policy compliance violator's file. The facilitator has read-only access 
to the network user compliance violation reports. The facilitator is automatically 

10 copied on all appeal process communications. The system records this activity and 
stores it in the policy effectiveness database. 

Next, the internal officers are automatically prompted and sent a notice to 
schedule the appeal meeting with the new facilitator, the network user, the system 
administrator and the policy officer. Block 812 represents the policy compliance 

15 and reporting module 1 15 prompting users to schedule an appeal meeting. The 

process is reported to, stored, and tracked in the policy effectiveness module. Block 
814 represents the policy compliance and reporting module 1 15 the system 
recording the process. The appeal report is automatically sent to intemal policy 
officers. The network user is automatically sent information to inform him of his 

20 procedural rights. The appeal report is automatically sent to the policy effectiveness 
module, the policy officer and the network user, and a surface mail is sent to the 
policy officer and the violator. Block 816 represents the policy compliance and 
reporting module 115 distributing appeal information to all parties. 

The facilitator logs into the system and reviews all of the docimients 

25 regarding the poHcy violation. The facilitator, the policy officer and the suspected 
violator meet to listen to the violator's appeal. The facilitator and the policy officer 
are required to present login and password/token information to file appeal reports 
and to verify an appeal meeting occurred. Block 818 represents the policy 
compliance and reporting module 115 retrieving appeal report forms from policy 

30 compliance and reporting database. The appeal reports are comprised of several 
fields. The facilitator and the policy officer are required to complete the online 
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reports. The policy effectiveness analyzes the appeal reports to determine the final 
decision. Block 820 represents the policy compliance and reporting module 1 15 
analyzing the appeal reports. An email is sent to all parties with the final decision 
file attached. Block 822 represents the policy compliance and reporting module 115 
5 distributing the final appeal decision. Block 824 represents the policy compliance 
and reporting module 115 transferring the appeal information to the policy 
effectiveness modide 120. 

POLICY EFFECTIVENESS 120 

10 The policy effectiveness module 120 electronically collects, records, 

analyzes and stores information from policy compliance monitoring, analyzes policy 
compliance and reporting, evaluates network policy compliance actions undertaken 
in response to the network security policy violations and electronically implements a 
different network security policy selected from network security policies stored in a 

15 policy database. 

The policy effectiveness module 120 analys^es information collected from the 
policy compliance and reporting 115 to determine if network user compliance 
policies are effective. Figure 46 is an exemplary screen display illustrating policy 
effectiveness reports according to an embodiment of the invention Figure 47 is an 

20 exemplary screen display illustrating policy effectiveness reports according to an 
embodiment of the invention. If a policy is determined to be ineffective, a new 
policy may need to be implemented. 

The policy effectiveness module 120 monitors the policy compliance actions 
taken over a period of time. At the time the system is implemented, the system 

25 administrator may set the system to measure network compliance actions that have 
been undertaken on a monthly, quarterly, aimual, historic (e.g., year-to-date) basis. 
After the monitoring time period has been recorded in the system, the system 
administrator may record the number of network policy compliance actions, per 
network compliance policy, considered acceptable during a said period of time. 

30 The policy effectiveness module 120 analyzes the policy compliance actions 

stored in the policy compliance and reporting module 115. Each policy is assigned a 
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value representing a target baseline compliance level for network policy comp^ance 
("network policy compliance'*). In the preferred embodiment, the numeric value 
assigned to each monitored policy is 95, representing that for each policy 95% user 
compliance is required. The level of user compliance for a group of network users 
5 with respect to a particular policy is monitored. The network user compliance 

activity for a group has a numeric value the system monitors representing the degree 
of group user policy compliance ("group user policy compliance"). The network 
compliance value is monitored in relation to the user compliance value stored in the 
network security policy database 506. 

10 FIG. 9 is a block diagram further illustrating a policy effectiveness system 

according to an embodiment of this invention. 

Block 900 represents the policy effectiveness module 120 determining 
network policy compliance. Block 910 represents the policy effectiveness module 
120 determining group user compliance. Block 920 is a decision block representing 

15 the policy effectiveness module 120 analyzing the network policy compliance value 
in relation to the group user compliance policy value. If the group user policy 
compliance value is greater than or equal to the network policy compliance value, 
then block 940 represents the policy effectiveness module 120 recording that the 
network is in compliance with respect to a policy. Otherwise, if the network policy 

20 compliance value is greater than the group user policy compliance value, the policy 
effectiveness module 120 measures the difference between the network policy 
compliance value and the group user policy compliance value and may undertake a 
network compliance action in response to that difference. 

Each compliance action in the group is assigned a value related to a numeric 

25 value that may be reported from monitoring network user compliance. The numeric 
value assigned is based on the severity of the network policy compliance violation, 
i.e. the difference between the network policy compliance value and the group user 
policy compliance value. Upon recording the difference between the network policy 
compliance value and the group user policy compliance value, the policy 

30 effectiveness module 120 records this information in the network security policy 
database 130 and begins undertaking the appropriate network compliance action. 
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This action may include electronically implementing a different network security 
policy selected from network security policies stored in the database, generating 
policy effectiveness reports, and providing a retraining module to network users. 

For example, the system administrator may have indicated that the password 
5 policy can not have more than 5 network compliance action occur per month. If the 
network compliance action is greater than S actions per month, the system sends a 
message to retrieve a different policy from the database 130. The policy selected 
based on indexing criteria and on the difference between the group user policy 
compliance and the network policy compliance values. Each policy has several 

10 actions ranging from lenient to restrictive. The policy effectiveness module 120 

reviews the information collected by policy effectiveness to determine which policy 
to modify and the action to take. The piolicy effectiveness module 120 records the 
policy change and sends an email message to the system administrator to confirm 
the policy changing process. Figure 48 is an exemplary screen display illustrating a 

1 5 policy effectiveness action according to an embodiment of the invention. An 

enterprise wide email is also sent to all network users to alert them to the change in 
policy. 

POLICY RESOURCES 145 

20 The policy effectiveness system 100 includes a policy resources 145 database 

and software resources database to help users and administrators maintain policy 
compliance. Figure 49 is an exemplary screen display illustrating policy resources 
according to an embodiment of the invention. Materials included in the policy 
resources database 145 include a policy reference library, legal research, a policy 

25 manual, a and a self-serve policy section. The policy reference library has a search 
engine to help the user quickly search and find policy information. Users can contact 
support persoimel either by email, page, telephony, fax, or telephone. It is important 
that users have immediate access to a support person, since major policy violations 
may require organizations to act quickly in order to protect their network from 

30 damage. Intemal legal and policy personnel can access legal statutes and other 

related policy documentation relating to email and virtual policies in the workplace. 
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The policy manual is presented to users such that they will be able to read and 
review the policy manual periodically. Users are periodically reqmred to sign an 
online form indicating he or she has read the policies, and any policy revisions, and 
understands all of policies. Annual updated information will be highlighted for fast 
5 review. The policy effectiveness system 1 00 tracks users visit to the policy. Tile self- 
serve policy section allows the policy officer to revise the policy. The policy officer 
is prompted to access a policy database and is instructed to download a new policy 
when the system has determined that a policy is ineffective and users are 
consistently out of compliance with the current policy. The new policy(s) are 
10 automatically added to the policy effectiveness system and the organization's policy 
manual. 

Software resources include software listings and updates, guidelines for 
proper use including email etiquette, and netiquette training, Internet information 
and personal safety training , optional registration of an encryption private or public 
1 5 key with the system, a listing of the organization's approved and licensed software, 
software downloading guidelines and approved procedures, tech support for user's 
questions 

k ' 

Registering newly downloaded software to the system, management approved 
trialware, shareware and others for review by the organization, operations and 
20 support information, regulation, policy, and Freedom of Information Act materials, 
information explaining how the system works including product support and 
services, telephony, text-based support, and in-house support options, a simple do & 
don't security module for non technical activity, and online safety information 

25 Security, System Backup, and Recovery Processes 

Users must present a password and hardware token to access the policy 
effectiveness system 100. Most organizations concentrate their security resources on 
securing the perimeter of their network. Unfortunately, the greatest threat to an 
organization is its employees, who, with network access can cause greater damage 

30 than an extemal intruder. 
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The policy effectiveness system 100 employs an electronic tag to monitor 
document level access, security and to track information on a per document basis. 
This creates the opportunity to prove document authenticity, to track the copies and 
revisions of a document, and to monitor and report document access and disclosures. 

5 

System backup and recovery 

The policy effectiveness system 100 has an online backup feature. This 
feature offers full redundancy, without the expense of off-site storage, and limits the 
process of physically cataloging and indexing backup tapes. Cataloging and 
10 indexing backups is automatically completed by the system. Backman is an existing 
software that does this. 



Software Compliance 

Most large organizations are not cognizant of the type of software licenses 

1 5 they have, which workstation and/or server has which software, who is using what 
software, and whether or not the organization is in compliance with their software 
licensing agreements. Users can easily download freeware, shareware trialware, and 
permware software from the Internet. All software is distributed with compliance 
conditions or restrictions of its use, even if it is identified as freeware, shareware and 

20 trialware, or is copyrighted but freely distributed. 

To effectively monitor an organization's software compliance, periodic 
network audits are needed to identify deviations in the software inventory, and to 
reconcile software license agreements with software and hardware inventories. 
Products that monitor software licenses are known in the art, for example the FlexIM 

25 software by Globetrotter. 

Each user is registered in the user profile database ISO. The user profile 
database ISO includes a user's hardware and software inventory information, as well 
as the user's name, user's email address, user's surface mail address, employment 
status (e.g., temp, contract, virtual), title, department, organizational chart indicating 

30 who the user reports to, the direct reports, his assistant, and mail station address. It 
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also may indicate the software present on a user's workstation and the user's system 



The user profile database 150 also retain copies of any Emplo3mient 
Agreements and other employment-related contracts, maintains a record of the users' 
policy training and exam status, policy compliance history, network activity, and any 
special network access or privileges such as using the network for charitable use. 
Additionally, the user profiles 1 50 may also monitor software downloads fi-om the 
network, or Internet, to hardware through network activity reports and network 
audits, including any software approved for use by management and other speciial 
approvals. Additional user information can be monitored and collected to assist the 
organization's reporting needs. 

The policy effectiveness system 100 includes an object library/object level 
licensing system similar to FlexIM by Globretrotter. 

The policy compliance monitor 110 features dynamic updating and 
exchanging of software licensing agreements. The compliance monitor 110 reviews 
all software license agreements and maintains records of the vendor information. 
The compliance monitor 110 sends a notification to the system administrator 
indicating that a software license is about to expire. The system administrator is 
prompted to send an email to the licensing organization to update the license 
agreement. Once the updated license agreement is received via email, the system 
automatically updates the software license registered and stored in the compliance 
monitor 110. 

The policy effectiveness module 120 monitors and tracks network activity 
including all hardware and software in the policy effectiveness system 100. This 
module can generate reports to track an organization's user access including failed 
login attempts and all attempts to launch privileged applications, any changes to 
system configxiration parameters software downloads fi-om the Internet, software and 
hardware usage, location of software, location of software license agreements, type 
of software agreements, coordination of software license agreements with software 
utilization, statistical and graphical information regarding justification for software 
purchases, upgrades and maintenance expense, software installations, software 



access and security status. 
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compliance, appropriateness, inappropriateness and excessive use of software and 
hardware resources throughout the enterprise, the number of people waiting for 
access to software applications, access time, value of software being used at 
anytime, the need for upgrades, the need for training, projections for hardware, 

S software and licensing costs/usage throughout the enterprise, hardware demand 

predictions, recommended re-route of software and hardware, personally installed or 
permitted software installation, need to streamline and more effectively use under 
utilized system resources, over utilization of system resources, potential policy 
infringements, system trends per department use, and the allocation of related costs 

10 related to department. 
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Software Applications Archive 

The system records the storage location of all the software applications, 
software manuals, and software vendor information used by the organization to 
15 create documents. In the event that records or documents, written in older versions 
of software, must be produced, the software will be preserved and available for use. 

The foregoing description of the exemplary embodiments of the invention 
has been presented for the purposes of illustration and description. It is not intended 
20 to be exhaustive or to limit the invention to the precise form disclosed. Many 
modifications and variations are possible in light of the above teaching. It is 
intended that the scope of the invention be limited not with this detailed description, 
but rather by the claims appended hereto. 



33 



wo 99/67931 PCT/US99/13998 

t-. 

WHAT IS CLAIMED IS: 

1 . A method for maintaining policy compliance on a computer network, 
comprising the steps of: 

electronically monitoring network user compliance with a network security 
5 policy stored in a database; 

electronically evaluating network security policy compliance based on ^e 
network user compliance; and 

electronically undertaking a network policy compliance action in response to 
the network security policy compliance. 

10 

2. The method of claim 1 » wherein the evaluating step comprises the 
steps of: 

electronically generating a network security policy compliance value based 
on monitoring network user compliance for a plurality of network users; 
1 5 electronically comparing the compliance value to a target compliance value, 

wherein the target compliance value defines a baseline for network security policy 
compliance; and 

wherein the undertaking step is based on a difference between the 
compliance value and the target compliance value. \t 

20 

3. The method of claim 2, wherein the compliance action is selected 
from a group comprising: 

electronically implementing a dififerent network security policy selected from 
network security policies stored in the database; 
25 generating policy effectiveness reports; and 

providing a retraining module to network users. 

4. The method of claim 1 , further comprising the step of electronically 
undertaking a user compliance action in response to monitoring network user 

30 compliance. 
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5. The method of claim 4, wherein the evaluating step comprises the 
steps of: 

generating a network security policy compliance value based on monitoring 
network user compliance; and 

comparing the compUance value to a target compliance value, wherein the 
target compliance value defines a baseline for network security policy compliance; 
and 

wherein the undertaking step is based on a difference between the 
compliance value and the target compliance value. 

6. The method of claim 5, wherein the user compliance action is 
selected from a group comprising: 

notifying a network user; 
notifying a policy administrator; 
providing a retraining module to the network user; and 
restricting the network user's network access rights. 

7. The method of claim 3, wherein each network security policy has a 
security level identifier identifying the relative restrictiveness of the policy, wherein 

20 the implementing step includes the step of electronically selecting a network security 
policy based on the security level identifier. 

8. The method of claim 1, further comprising the step of interactively 
generating a network security policy, the generating step comprising the steps of: 

25 electronically providing a suggested network security policy to a plurality of 

network users; 

electronically receiving a modified network security policy from at least one 
of the network users; 

electronically providing at least one of the modified policies to the network 
30 users; and 

receiving a group modified policy from the network users. 
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9. The method of claim 1, wherein the monitoring step ftirther 
comprises the steps of: 

electronically providing a network policy exam to a network user; 
electronically receiving exam answers from the network user; 
electronically evaluating the exam results to generate an evaluation score; 
notifying the network user of the evaluation score; and 
storing the evaluation score in a database. 

1 0. The method of claim 1 , wherein the network security policy k 
comprises: 

a network hardware policy; 
an email policy; 
an internet policy; 
a software license policy; 
a docimient management system policy; and 
a network security enforcement policy. 

1 1 . An apparatus for maintaining policy compliance on a computer 
network, the apparatus comprising: 

a computer system comprising at least one processor and at least one 
memory, the computer system being adapted and arranged for: 

(a) electronically monitoring network user compliance with a network 
security policy stored in a database; 

(b) electronically evaluating network security policy compliance based 
on the network user compliance; and 

(c) electronically undertaking a network policy compliance action in 
response to the network security policy compliance. 

12. An article of manufacture for maintaining policy compliance on a 
computer network, the article of manufacture comprising a computer-readable 
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Storage medium having a computer program embodied therein that causes the 
computer network to perform the steps of: 

electronically monitoring network user compliance with a network security 
policy stored in a database; 
5 electronically evaluating network security policy compliance based on the 

network user compliance; and 

electronically undertaking a network policy compliance action in response to 
the network security policy compliance. 
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Licensing Agreement 
for 

Virtual Policy Builder 



END-USCR UCENSC ACREEMEfST FOR VIRTUAL POUCV BUILDER SOFTWARE - VIRTUAL VMIRISPACE IMPORTANT- 
READ CAREFULLY: This End- User License Agrcemeni ("EULA") is s iesil agrccmem between you ^cither ui individual ort ungle enthy) 
tnd the manuficturcr ("PC Manulacturer) of ihe computer system (XOMPUTER-) with which you acquired the Viitual Wofkspace software 
prodtta(s) idemified above ("SOFTWARE PRODUCT* or -SOFTWARE"). If the SOFTWARE PRODUCT is not accompanied by a new 
computer cystctn. you may not use or copy the SOFTWARE PRODUCT. The SOFTWARE PRODUCT includes computer software, the 
associated media, any primed materials, and any "online" or eteciranic doeumemaiion. By installing, copying or otherwise using the 
SOFTWARE PRODUCT, you agree to be bound by the terms of this EULA. If you do not agree to the tcnns of this EULA. PC Manuftciuicr 
and Virtual Woitspace are unwilling to license the SOFTWARE PRODUCT to you. In such event, you may not use or copy the SOFTWARE 
PRODUCT, and you should promptly coniaa PC Manufacturer for instructions on return of die unused pioducus) for a refund. 

SOFTWARE PRODUCT LICENSE 

The SOFTWARE PRODUCT is protected by copyright laws and intcmaiional copyright treaties, as well u other jntclleciual propeny laws and 
treaties. The SOFTWARE PRODUCT is licensed, not sold. r r- # 

1 . GRANT OF LICENSE. This EULA grants you the following rights: 

* Software. You may insuli and use one copy of the SOFTWARE PRODUCT on the COMPUTER. 

* Network Services. If the SOFTWARE PRODUCT includes funetionaUty dtai enables the COMPUTER to aa as a network server, any 
number of computeis or workstations may access or otherwise utilize die basie network services of that server. The basic network services are 
more fiilly described in the primed materials accompanying the SOFTWARE PRODUCT. 

• Storage/Nenwotk Use. You may also sioiv or insull a copy of the computer softwaie portion of the SOFTWARE PRODUCT on dte 
COMPUTER to allow your oUier computers to use die SOFTWARE PRODUCT over an tniemal oenvork, and distribute the SOFTWARE 
PRODUCT to your other computers over an imemal network. However, you must acquire and detlicaie a license for the SOFTWARE 
PRODUCT for each computer on which the SOFTWARE PRODUCT is used or to which it is distributed. A license for die SOFTWARE 
PRODUCT nuy not be shared or used eoncunendy on diffecm computers. 

♦ Operating System Choice. PC Mamifaciurer may have elected to provide you with a diofce of Vinual Workspace opeisting system software 
for the COMPUTER. 

• OEM Back- up Utility. If PC Manufacturer has not included a back* up copy of the SOFTWARE PRODUCT with the COMPUTER, you 
may use the Vimtal Workspace back- up utility, if included with the SOFTWARE PRODUCT, to make a single back- up copy of the 
SOFTWARE PRODUCT. You may use Ihe back- up copy soldy for archival purposes. After die single baek- up copy is made, the baekup 
utility will be permanently diublcd. 

2. OESCRJPnON OF OTHER RIGHTS AND LIMITATIONS. 

* Limtiarions on Reverse Engineering. Decompilstton and Disassembly. You may not reverse engineer, decompile, or disassemble tite 
SOFTWARE PRODUCT, except snd only to die extent Uiat such aaivity is expressly pcrmined by applicable law notwithstanding this 
limitation. 

• Scparstion of Componeras. The SOFTWARE PRODUCT is licensed as a single produa. Its component pans may not be separated for use 
On more than one computer. 

♦ Smgle COMPUTER. The SOFTWARE PRODUCT is licensed with the COMPUTER as a single imegistcd product. The SOFTWARE 
PRODUCT may only be used widi the COMPUTER. 

• Renisl. You may not rem or lease die SOFTWARE PRODUCT. 

t Software Transfer. You may permsnemly transfer all of your rights under this EULA only as pan of a sale or transfer of Ihe COMPUTER, 
provided you retain no copies, you transfer all of die SOFTWARE PRODUCT (including all componem pans, the mcdis and printed tnaterials. 
any upgrades, diu EULA and. if applicable, the CcniHcateCs) of Authenticity). AND the recipient agiecs to die tenns of diis EULA. Ifthe 
SOFTWARE PRODUCT is an upgisde. any transfer must indude sll prior venions of the SOFTWARE PRODUCT. 

• Termination. Widwot prejudice to any other rights. Vinual Workspace may tenninate this EULA if you fail to comply with the teims snd 
conditions of this EULA. In such event, you nuist destroy all copies of die SOFTWARE PRODUCT and all of iu componem psns. 
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3. UPGRADES. If the SOFTWARE PRODUCT it in upgrade Aom another ptodnci. whether ftom Vimial Werkspace or another 
supplier, you may use or transfer (he SOFTWARE PRODUCT only in conjunction with thai upgraded praducL unless you destroy the 
upgraded product. If (he SOFTWARE PRODUCT is an upgrade of i Vtnua) Workspace product, you now may use that upgraded 
produo only in accordance with this EULA. If the SOFTWARE PRODUCT is an upgrade of a component of a package of software 
programs which you licensed as a single product, the SOFTWARE PRODUCT may be used and tnnsfemd only as pan of that single 
produa package and may not be separated for use on more titan one computer. 

4. OEM COPYRIGHT. All title and copynghu in and to the SOFTWARE PRODUCT (including but not limited to any images, 
photographs, animations, video, audio, music, text and "applets.* incorporated into the SOFTWARE PRODUCT), the accompanying 
primed materialt. and any eopiea of the SOFTWARE PRODUCT, are owned by Vinual Workspace or iu suppliers. The SOFTWARE 
PRODUCT is protected by copyright Uwa and inientational treaty provisions. You may not copy the primed materials accempaiiying 
(he SOFTWARE PRODUCT. 

5. DUAL- MEDIA SOFTWARE. You may receive the SOFTWARE PRODUCT in mere than one roedhim. Regardless of the type or 

- size of medium you receive you may use only one medium that is appropriate for your tingle ctmpuier. You may not use or install the 
other medium on another computer. You may not loan. rent, lease, or otherwise transfer the other medium to another user. e.xoept as part 
of the permanem transfer (as provided above) of the SOFTWARE PRODUCT. 

6. OEM PRODUCT SUPPORT. Product suppon for the SOFTWARE PRODUCT is NOT provided by Viitnal Workspace Corporation 
or iu subsidiaries. For produa support, please refer to PC Manufacturer^ suppoit immbcr provided in the docnmemation for the 
COMPUTER. Should you have any questions conccfning this EULA. or if you desire 10 contact PC Manuftourer for any other reason, 
please refer to the address provided in the documemaiion the COMPUTER. 

7. OEM VS. GOVERNMENT RESTRICTED RIGHTS. The SOFTWARE PRODUCT and documentation arc provided with 

• RESTRICTED RIGHTS. Use. duplication, or disclosure by the Govcmmcm is subject to restrictions as set fonh in subparagraph 
(cH I Xii) of the Rights in Technical Data and Computer Software dausc at DFARS 232.227- 70 1 3 or subparagraphs (cK 11 and (2) of die 
Commerdal Computer Software- Resuictcd Righu at 48 CFR 52.227- 19. as applicable. Mannfacnirer ia Vimial Workspace 
Corporation^250 East 6th Street. Suite 6 1 Q/St Paul. MN 55 101 . 

FOR THE UMITED WARRANTIES AND SPEOAL PROVISIONS PERTAINING TO YOUR PARTICULAR JURISDICTION. 
PLEASE REFER TO YOUR WARRANTY BOOKLET INCLUDED WTTH THIS PACKAGE OR PROVIDED WnH THE 
SOFTWARE PRODUCT PRINTED MATERIALS. 

Please indicate your acceptance of the software licensing agreement by clicking on tlie 
: accept icon. If you disagree witli tlie terms of the agreement, elicit the decline icon. 
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i Virtual Workspace has created this privacy statement in order to demonstrate our firm commitment 
! to privacy. The following discloses our information gathering and dissemination practices for this 
I site; Virtual PoUcy Builder. 

1 

1 Your IP address Is used to help identify you and your shopping cart. 

Our site's registration form requires users to give us contact information (like their email address) 
: and demographic information (like their zip code, age. or income level). The customer's contact 
; information Is used to contact the visitor when necessary. Users may opt*out of receiving future 
! mailings; see the delete/deactivate section t>eiow. Demographic and profile data is also collected at 

our site. We use this data to tailor the visitor's experience at our site, showing them content that we 
: think they might be interested in, and displaying the content accordng to their preferences.financlal ^ ' 
i information (like their account or credit card numbers)&]. Financial information that is collected Is 
• used to bill the user for products and services. 

: Opt-Out 

I 
1 

1 Our site provides users the opportunity to opt-out of receiving contmunications from us at the point 
; where we request information about the visitor. 

I 

i Delete/Deactivate 

i 

: This site gives users the following options for removing their information from our database to not 
; receive future communications or to no longer receive our service. 
: You can send email to delete@virtualworkspace.com 

Change/Modify ^ 

1 This site gives users the folkiwing options for changing and modifying information previously 
: provided. Email update@vlrtuaiworkspace.com 

j 

1 

i 
1 

i ■ v 

i 


j 

t 

, 1 


Q (?) C '^'^"^ ^^^^ ^ C ^^'^ ^ 
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Contacting the Web Site 

. If you have any questions about this privacy statement, the practices of this site, or 
your dealings with this Web site, you can contact 

Virtual Workspace 
250 East 6th Street 
Suite 610 
. St. Paul, MN 55101 
aj@virtuaiworkspace.com 
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Choosing a Screen 

Identity 



. Choose a screen name and identity for the training 
session by clicking on the screen name listed below 

: Screen Names: 
i ' Sasha: the warrior princess 
i Alvin: the truck driver 
I Josh: the surfer dude 
i William: the investment banker 
I Alice: the domestic engineer 
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■ Your training session number is: 
The session number is used to track and reference the 
training session in the policy effectiveness module. 


i 


Click on the training Icon to enter the virtual training 
; room. 




C^Jraining^ 
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Meet the 
Facilitator 




Click on the picture to 
meet and interact with 
the facilitator and the 
other participants for this 
training session. 



You will need Real Audio to listen to 
the facilitator introduce the participants 
and the training rules. 
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Policy Suggestion 



Desktop Piracy 

Suggested Policy : To comply with laws governing software protection from 
piracy employees must not: 

•Make copies of any software unless explicitly authorized. 

•Exchange, trade or transfer copies of any software to others in 

cyberspace. 

•Download copies of software that normally would have to be 
purchased. 

•Purchase any software from the Internet witiiout prior approval 
If you encounter pirated software or suspect software may have been pirated, notify 
the system administrator immediately and distance yourself from the real or suspected 
illegal activity. 

Premise : Expect different people to have different standards. They are not better, 
not worse - simply different. 

Principle : The principle of present choices states that current decisions tend to limit 
future action- This means that most important decisions affect two timeframes. The 
short-tenn result may be a benefit but the long-term result can be either a benefit or, 
as often happens, a consequence. 



Do you agree or disagree mth the suggested policy? 



What changes would you make to the suggested policy? 



Submit 



Pause 



Exit I \ Menu [ j Stats | [ Support | 
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Policy Training 



policy 
recom rnendation 
questions 



<^rticipatr>'" ^''^"P discussions 



(^us^) the program to: 

Review policy recommendations and statistics from previous sessions 

Request additional information on a topic of subject presented during the 
previous session 



Technical product support 
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Fig. 20 
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Policy reedbacK 
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Alvin: No changes 


j 

• j 
1 


Josh: No changes 


I 
1 


William: > i hate getting an approval to download 


: 

! 
i 


software. 1 want that section changed. 




Facilitator: >Does the group think about downioaaing 




software and approvals? 




! Josh: > Have to company make a list of approved 




software to download. . .Would that help you 




Will . \JT QO you Wani iri© upilUH iw wv^wmwavi* 


.. 


anything? 




William: > 1 could live with a list, as long as 1 can email 




the someone to approve of the software 1 




want to have downloaded. 

i ^ 
i • 
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Writing tiie Policy 



Suggested Policy: To comply with laws governing software protection 
from piracy employees must not: 

•Make copies of any software unless explicitly authorized. 

•Exchange, trade or transfer copies of any software to others 

in cyberspace. 

•Download copies of software that nomially would have to 
be purchased. 

•Purchase any software from the Internet without prior 
approval 

If you encounter pirated software or suspect software may have been 
pirated, notify the system administrator immediately and distance 
yourself from the real or suspected illegal activity. 

Facilitator: If I am correct, you want this section added to the policy? 

Add> > > MX software downloads can be approved by the sifstem 
administrator. The user needs to email the si^tem 
administrator to get approval for downloacting the software. 
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Vote on a Policy 
Recommendation 



To comply with laws governing software protection from piracy employees 
must not: 

•Make copies of any software unless explicitly authorized. 
•Exchange, trade or transfer copies of any software to others 
in cyberspace. 

•Download copies of software that nomially would have to be 
purchased. 

•AH software downloads can be approved by the system 
administrator. All netwoA user needs to email the system 
administrator to get approval before downloading the 
software. 

•Purchase any software from the Internet without prior 
approval 

If you encounter pirated software or suspect software may have been 
pirated, notify the system administrator immediately and distance yourself 
from the real or suspected illegal activity. 



Do you agree or disagree with the policy? 




Agree 




Disagree 
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Policy Consensus 



/ 



To comply with laws governing software protection from piracy employees 
must not: 

•Make copies of any software unless explicitly authorized. 



•Exchange, trade or transfer copies of any software to others 
in cyberspace. 

•Download copies of software that nonnally would have to be 
purchased. 

• AU software downloads can be approved by the system 
administrator. All network user needs to email the system 
administrator to get approval before downloading the 
software. 

•Purchase any software from the Internet without prior 
approval 



If you encounter pirated software or suspect software may have been 
pirated, notify the system administrator immediately and distance yourself 
from Hie real or suspected illegal activity. 
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Policy Training 

Main Menu 



start Policy Exam 
Review Policy Training Materials 
"I End Session 




m 



WO 99/67931 



27/51 



PCTAJS99/13998 



Fig. 25 



Policy Training Exam 



What is spam? 

A slang term for an electronic contract 

A luncheon meat 

A slang term for junk e-mail 

A term used for downloading files from the web 
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! Training Feedback Form 



Was the subject pertinent to your needs and interests? 
1 No To some extent 

Veiy Much So 

I Excellent Satisfactory Dissatisfacory 

j Adequacy of Course Content 

J Length of Course 

I : Adequacy of Course Materials 

1 Adequacy of Learning Experience 

1 Adequacy of FadUties 

I 

If any factor is rated "unsatisfactory", please provide explanation: 
What was of least value to you in this seminar? 

i 

; What was of most value to you in this seminar? 

How will you apply this learning back on the job? 

Would you recommend this course for other individuals/teams? 
Yes No 
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Acceptable Use 
Agreement 



T his agreeme n t is between th e employee andlRe us er indicated^belowr ~ 

! The user agrees to the following: 

i 

— i 1 . All information stored on the company system is for educational, 

instructional or administrative purposes. All data stored on the company 
I computer will be suitable for all audiences and shall not violate personnel 
privacy. 

2. Use of the computer system for commercial purposes is prohibited. 

3. User accounts which are issued for the purpose of making the organizational 
(county, program, etc.) Web site will have a designated primary user who is 
responsible for controlling access to the account. The primary user will not 
share his/her login ID and pastsword with anyone outside the organizational unit, 
and will change the password regularly. 

4. The company sefver(s) system Is an electronic community. Users are 
community members and as such must be considerate of other users. Thus, 
users will attend to their own files and directories and leave others alone. Users 
shall inform the system administrator, or the Manager if a problem arises with 
your account or the server(s). 

5. Users will be good stewards of the electronic environment and will not 
waste space, computing power or other user's time. 

6. Because this is an educational community, there are many children who 
have access to materials on the system. Users have a responsibility to ensure a 
nurturing environment for our children. Consequently, users will neither store 
not transmit obscene, abusive or otherwise objectionable material on the 
system. Such actions will result in prompt termination of system privileges. 

7. The company reserves the right to review any material stored on the 
system and will remove any material which it believes violates and element of 
this agreement. « 
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Acceptable Use 
Agreement 



CONTINUE 



8. The company operates a reliable and effective computing environment and 
network, however the company does not warrant that the system will meet any 
specific user requirement or that the system will be error free or uninterrupted. 
The company shall not be liable for any direct or indirect, incidental or 
consequential damages sustained or incured on connection with the use or 
inability to use the company system. 

User Signature 



Date: 

Manager: 



Internet e-mail address: 



Click icons to accept or decline the terms of the Acceptable Use Policy. 



C^ccepT^ Cpecline^ 
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i 

t 

The End 

i 


■ 

: 


1 • 

I 

1 Thank your for participating in the 
policy training program. 

i 

■ 
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Policy^ 1 
ComiSliano 


3 and 










($)Cexit) 
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User Profile 



' Name: 

Employee Number: 
Email Address: 
Surface Mail Address: 

Employment status (i.e. temp, contract, virtual): 

Organizational/reporting chart : 

Title: 

Department/Unit Title: 
Branch/Division: 
Mail Address: 



User's Employment Agreements and other contracts! 

Policy Tramino and Exam status: 

Policy ComoliancB History 

Network Act jyitv History 

Special N etwork Access or PrivileQes 

Email storage allocation 

Document access level 

User Access to indudino failed login attempts 

AH attemp ts to launch DrivlleQed aPDllcations 

Any changes to syste m configuration parameters 

Software downloads from the Internet 

Software ^iggqe 

Hqr(;jw^re M?^qg 

Software present on a user's workstation 
User's system access and security status 
Identify need for upgrades 
Identify need for training 



USER PROFILE REPORTS 
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REPORTS 

User access including f ailed iooin attempts 
Alt attempts to launch Driyileaed aPDlicatlons 
Any change^ \q system Qonfiqur^tiQn P^ramgter^ 
Software downloads from the Intemet 
Software usaoe 
Hardware usaoe 
Location of software 

Location of software license agreements 
Type of sof^wy^ g^qreepients 

Coordination of software license agreements with software utilization 

Provide statistical and graphical justification for software purchases, upgrades and 

maintenanc e expense 

Software Installations 

Software compliance 

Appropriateness, inaooropriateness and excessive use of software, hardware 
resoqrce? throughout thfi enterpri^g, 

Number of people waiting for access to software appiicationfs^ 
Access time 

Value of software being used at anytime 
Identify need for upgrades 
Identify need for training 

Proiections for hardware, software and licensing costs/usage throuohgut the 
enterprise 

Predict hardware demand 

Re-route software and hardware as indicated 

Personally installed or permitted software installation 

Utilization of system resources 

Identify potential policy infringements 

Identify system trends per department use 

Allocation of related costs related to department 
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To: 

From: 

RE: 

Branch Location: 

Time: 

Dote: 

CC: 



Audit 



PolAdm@Vlrt.vom 

Sys@virt.com 

Audit Reminder 

Minneapolis 

1 1 :20 a.m. 

May 20, 1998 

Policyeffect@virt.com 

PolAdm@virt.com 

Lan@virt.com 



Audit Results 



Violations: 
Di5crepancies:c 



Click on the report icon to conriplete policy violation repo rt, d 



(>) (<) (j^'N MENU^(^END^(^RINT^ EXIT ^ 
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Reference Number: 985h34 

Posted-Date: Mon, 20 May 1 998 1 6:1 7:36 -0500 (CDT) 

To: Jane Doe@virt.com 

From: PolicyAdm @virt.com 

Subject: Violation Notice 



Network Non-Compliance Notice 

Name: 

Email Address: 
Title: 

Department/Unit Title: 
Branch/Division: 
Mail Address: 
Violation: 

Violation History: (hyperlink) 
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Network Compliance 
Action Notice 



-^ .-1 The policy advisor has taken the potential violation into advisement and 
has determined the following procedures: 

This is a Level 2 violation 



Follow the prompts to complete the violation reporting process for this 
level 2 violation. 

i Click Cg^qiT ) to begin the violation reporting process. 
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Policy Compliance Report Form 



Violator's Name: 



Email address: 



Title: 



Department: 



Mail Station 



Violation: Minor Violation Major Violation 

Type of Violation: (choose from drop down box ) 



Branch Location: 



Date of Occurrence: 



Date of report 

' Official reporting the Incident, 



Policy Administrator: 
Additional details: 



Ok 



] I Reset n I Cancel 



I (S)(<)(j^ ^XIT ^ 
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Network Compliance 
Action Notice 



The policy advisor has taken the potential violation into advisement and 
has determined the follo\Aring procedures: 



This is a Level 2 violation 



Follow the prompts to complete the violation reporting process for this ^ 
; level 2 violation. 



Click v ^stort^ to begin the violation reporting process. 
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Policy Knowledge Query 



Name: 

Violation: D Minor Violotion Q Major Violation 

Type of Violation: (choose fronri drop down box ) 

I 

Branch Location: \ 

Date: 



Policy Administrator: 

! 

i Additional details: 



Search 



Reset 



I Cancel 



C^^^IJSER HELP^^ Click icon for more information on how to 
^ — ""^"''^ respond to a violation report. 



Q (>) (j^^'^ menu^(^send2^(^ Q exit ^ 



m 

PCTAJS99/13998 



i 

! 


Policy Compliance Report Form 


\ 


vioiaiurs iName. 

Email address: 




Title: 

- Department: 

- Mail Station 




Violation* Minor Violation Maior Violation 
Type of Violation: (choose from drop down box ) 




Branch Location: 
Date of Occurrence: 

Hat A nf rppnrt 

Official reporting the incident 




Poliry Ariministratnr! 

: Additional details: 
1 Ok 1 1 Reset 1 1 Cancel 1 
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Policy Violation Code and Report 



The claim you submitted has been assigned 985h34 as its reference 
code. 

Encrypted email and surface mail copies of the policy violation claim 
report has been sent to: 

• Jane Doe 

• John Smith in Human Resources 

• System Policy Administrator 

• Virtual Workspace, LLC - a third party policy organization 

i 

t 




I 
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System Violation Notice 

Email and Snail Maill Notice 



1 

\ 



Name: 

User Profile: 
Violation Type: 

Violation level: 

Branch Location: 

Time: 

Date: 

CC: 



File Attachments: 



Jane Doe 

(Review Profile from drop down menu) 

al/acRmlnl°'' confidential file 

Level 2 

Minneapolis 

1 1 :20 a.m. 

May 20, 1998 

Jsmith@Virt.com 

PolAdm@Virt.com 

Policy@virtualv/orkspace.com 

Scheduling and violation report 



The system indicates you have violated a virtual policy. Attached is a policy 
violation claim report for your review. 

We will need your assistance to investigate the dalm to determine if it Is indeed 
accurate and if It warrants further discussion. Please follow the procedures 
below: 

• Review the attached policy violation claim report 

• Review your User's Violation History file at http://www.usen/i.com. 

• indicate any discrepancies in any of the reports 

• Indicate your availability for an In-person follow up meeting 

For further information click the user icon C User 



All report and Investigation information is automatically recorded in the system. 



Thank you tor your cooperation. 
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Subsequent Action Report 



Name: 

Violation level: 

Branch Location: 

Time: 

Date: 

CC: 



File Attachments: 



Jane Doe 

Level 2 

Minneapolis 

11:20 a.m. 

May 20, 1998 

Jsmith@Virt.com 

PolAdm@Vlrt.com 

Policy@virtualworkspace.com 

Subsequent Action Report 



Following the violation meeting, Human Resources and the user are 
required to file a subsequent meeting report to verify their attendance 
at the meeting. 



The report can be accessed by click the report icon 



(Report) 



if you have any additional questions or concerns, you may contact the 
\ Policy Administrator via email: PolAdm@Virt.com or by calling 555- 
1212. 

' If you do not agree with the outcome of the meeting, you may file for 
. an appeal. To begin the appeal process, click on the ap peal ic on 
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The Appeal Process 



The Appeal Process grants the user due process, including the 
opportunity to respond to an alleged violation in writing. The user is 
given the option to choose an appeal facilitator from the organization. 

The chosen facilitator is emailed and granted security and read-only 
access to a user's file. The facilitator is automatically copied on all 
appeal process communications. The system records the all 
communications and written activity. 

Internal officers are automatically prompted and sent a notice to 
schedule the appeal meeting with the new facilitator. The process is 
reported, stored, and tracked in the policy effectiveness module. 

The appeal report Is automatically sent to: 

• Policy Effectiveness 

• The policy officer and the user via email 

• The policy officer and the user via snail mail 

The user is automatically sent Information to Infomi him of his rights. 
To access further information, dick on the appeal Icon (^^^ 
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Policy Effectiveness Reports 

Compliance Reports 




Enter access code: 

1 

Enter hardware token: 


! 


1 1 

Choose report(s) to review: 

User/User profiles 
Network nodes 
Department 
Division 
Branch 
Application 
Time duration 
1 imeirame Dasea un. 
Historical and statistical reports 
Current 
Year-to-date 
Custom time frames 
Other 


(>) (<) (j^lN MENU^(^SEND^(^RINT^ EXIT ^ 
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Policy Effectiveness Reports 

Enterprise-Wide Reports 



Enter hardware token: 



Choose report(s) to review: 

Policy compliance reports 
Risk assessment 

Strengths and weaknesses in policy compliance 

and non-compliance 

Email compliance reports 

Software compliance reporting 

Pattems, statistics and assessment of policy violations 

and non-compliance 
System backup reports 
Document tracking reports 
Audit and reconciliation reports 



;(>) (<) (main MENU^(^END^(^RINT^ Q EXIT ^ 




Enter access code: 
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Policy Effectiveness 



i I 



! Name: 

i 

1 Violation level: 
Branch Location: 
Time: 

'• Dote: 

; CC: 

I 

; File Attachments: 



SystemAdm@Virt.com 

Level 2 

Minneapolis 

11:20 a.m. 

May 20, 1998 

Network@Virt.com 

Policy@virtualworicspace.com 

Policy Effectiveness Action Report 



Policy Effectiveness has implemented a policy change for personal email 

i usage. 

The new policy set the daily personal email usage at 35 messages vs. the 
I previous 30 message limit The personal email policy can be accessed at 
http://www.policy/personalemail.com 
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Policy Resources 



Policy Reference Library 
Legal Research 
The Virtual Policy Manual 
Policy Basics 

Software Resources including 
software listings and updates 

Software Registration 

Tech and User Support 
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